Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Android.DownLoader.558.origin

Added to the Dr.Web virus database: 2017-07-06

Virus description added:

SHA1:

  • bc202804250692ffa889d96f056cc86422efbeb1

Detection of the program platform (SDK) Excelliance, embedded into Android games and applications by software developers. It is designed to optimize the update process, but it can operate as a downloader Trojan and download other programs.

Android.DownLoader.558.origin is a JAR package named main2.jar. It is encrypted and stored in the directory /assets along with other program sources it is embedded into. During the first launch of a program or a game, this package is decrypted and run. After that, it starts operating on its own every time the mobile device connects to the Internet.

Android.DownLoader.558.origin tracks a network connection state, and, on each Internet connection or disconnection, it checks availability of the command and control server http://sdk-o******eota.com. When addressing it, the Trojan sends the following requests:

/picksingleapk.php?chid=61762&imei=000000000000000&imsi=310260*******00&vercode=2***1&uid=30&
pkg=com.actgames.bbrr.sgp&api=19&release=4.4.2&sdkver=106870&brand=generic&
manufacturer=unknown&model=google_sdk&product=google_sdk...

As a response, the Trojan can get a command to download DEX, APK and ELF files.

Launch of code from the DEX files is executed automatically using DexClassLoader, which is located in the main application (Android.RemoteCode.81.origin).

Once APK files are launched, a standard system dialog box is displayed to user. However, if the device has the root access, they are launched automatically.

Rights for downloaded APK and ELF files are assigned via the system tool chmod.

News about the Trojan

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2020

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040